Find Out if Your Access Management Program Is Successful with KPIs

The sky is falling every day in cybersecurity. Why should I pay attention now?

That’s what most of your executives are thinking when you raise security issues to them. They face multiple issues beyond security. Should they approve a new marketing program using LinkedIn? Does it make sense to focus more resources on product development? In the midst of these discussions, how do you make a persuasive, credible case for cybersecurity?

You need to know the numbers, specifically by developing and using access management KPIs. If you miss KPIs, your access management requests and concerns won’t earn traction inside the company. In the end, that means more late nights in the IT security office responding to crises. Who wants that? Here’s what you can do to improve the situation.

Measure What Matters in IT Security

Is your organization more or less secure than it was six months ago? That’s one of the critical questions you can answer by measuring your IT security performance. For the best results, you need to develop lead and lag indicators. Lead indicators have a high likelihood of predicting the future while lag indicators predict what was happened. For instance, a lead indicator in sales would be “number of product demo meetings booked with prospects” while a lead indicator would be “number of closed sales.”

To assist in your brainstorming, consider some measurements commonly seen in cybersecurity departments.

Number of machines with current patches: This metric measures your patch management process. If you lack necessary patches on all your machines, you’re more likely to be hacked.

Number of DDOS attacks on servers: This measure tells you how often you’re being attacked.

Percentage of employees who completed annual cybersecurity training: This indicator tells you about your effectiveness in preparing employees to understand security.

Percentage of IT budget dedicated to cybersecurity: In banking, it’s common to see 5-10% of the total budget dedicated to cybersecurity. This measure helps you track whether cybersecurity support is keeping up with the growth of the business.

Number of outstanding IT security audit findings: If you have an internal audit department, this measure will help you understand more about your IT security control effectiveness.

Percentage of users with superuser privileges: This metric shows how many superusers you have. If these accounts are hacked, you’ll face a world of trouble, so you want to keep this measure relatively stable or declining over time.

Percentage of employees who clicked links in phishing tests: Some companies send fake phishing emails to their employees as a way to test the effectiveness of cybersecurity training.

Number of password reset requests fulfilled by the help desk: This measure will give you some insight into the work effort involved in managing passwords.

Percentage of cybersecurity staff that holds an active certification: Well-trained cybersecurity staff is a critical component for success. You’ll want this metric to increase over time.

Number of ID cards reported lost in the past 12 months: If a lost ID card falls into the wrong hands, your company’s physical security is at risk. That’s why you need to track this figure. You probably can’t get it to zero. By monitoring this metric, you can see if you need to make adjustments in your management approach.

Now, take a deep dive into the key performance indicators for access management.

What Access Management KPIs Should You Have?

Before diving into specific KPIs, consider the big picture for a moment. Why does access management matter? Access gives you the keys to everything else. If someone gets the right keys, he or she can sidestep most of your other cybersecurity protections. After all, there’s no reason for attackers to carry out a denial of service attack when they have access credentials. Look at the various KPIs available.

Lead KPIs for Access Management

Policy review and refresh completed in the past 12 months: This is a yes or no KPI. Have you reviewed and updated your company policies related to access management?

Percentage of new hires that have completed access management training: You can’t expect new hires to know your expectations unless you lay them out.

Average approval time for access requests: Set a timeline (e.g., one business day) and measure against it. If staff members know that access requests will be reviewed promptly, they’ll be less likely to share IDs.

Percentage of systems covered by access management software: For your access management solution to succeed, it needs to cover as many of your systems as possible. You want to see this metric increase over time.

Taken together, these access management KPIs show you’re trending in the right direction. You also need lagging indicators to report on problems.

Lag KPIs for Access Management

Use these access management KPIs to report on the state of access management.

Access management issues reported in audit findings: Track this indicator to see if audit has identified any problems related to access.

Number of inactive user IDs: Set a timeline to define inactive accounts (e.g., 30-60 days) and track it. You want to reduce inactive user IDs as much as possible.

Number of segregation of duties violations per quarter: Requesters and approvers need to be distinct roles for access management to function. This metric will need to be customized to your organization’s needs.

Number of administrative accounts without an owner: What happens to a pair of keys that nobody owns? They’re likely to be lost! To track this metric, you’ll need to periodically review your superusers, administrative accounts, and others with unusual accounts. For example, are a valid name, email address, and phone number associated with each administrative account?